Ornamental dots. Two rows of three dots. The top row is a light blue. The bottom row is one light blue dot followed by two orange dots.

OT:ICEFALL

OT:ICEFALL - A Decade of Insecure-by-Design Practices in OT

Forescout’s Vedere Labs has discovered a set of 56 vulnerabilities affecting devices from 10 operational technology (OT) vendors caused by insecure-by-design practices in OT. The affected products are known to be prevalent in industries such as oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining, and building automation. Many of these products are sold as “secure by design” or have been certified with OT security standards.

56

Vulnerabilities

26

Device Models

10

Device Manufacturers Affected

What We Found

The vulnerabilities are divided into four main categories: insecure engineering protocols, weak cryptography or broken authentication schemes, insecure firmware updates and remote code execution via native functionality.  

  • Among the vulnerabilities we found, 38% allow for compromise of credentials, 21% allow for firmware manipulation and 14% allow remote code execution
  • 74% of affected product families have some form of security certification
  • Risk management is complicated by the lack of CVEs

Why OT:ICEFALL Matters

With OT:ICEFALL, we wanted to disclose and provide a quantitative overview of OT insecure-by-design vulnerabilities rather than rely on the periodic bursts of CVEs for a single product or a small set of public, real-world incidents that are often brushed off as a particular vendor or asset owner being at fault. These issues range from persistent insecure-by-design practices in security-certified products to subpar attempts to move away from them. The goal is to illustrate how the opaque and proprietary nature of these systems, the suboptimal vulnerability management surrounding them and the often-false sense of security offered by certifications significantly complicate OT risk management efforts.

Read The Blog

Why the Name OT:ICEFALL?

It has been 10 years since Project Basecamp, a research project conducted by Digital Bond that investigated how critical OT devices and protocols were, to use the term they coined, “insecure by design.” Icefall is the name of the second stop on the Everest route, after Base Camp. Given the rising number of OT vulnerability disclosures, we know we have a mountain to climb to secure these devices and protocols.

Download The FAQ

Risk Mitigation Strategies

While device manufacturers address fundamental issues with insecure-by-design firmware and protocols, asset owners should intensify their cybersecurity efforts, including network monitoring and reducing traffic between IT and OT networks and the internet, limiting network connections to only specifically allowed engineering workstations and focusing on consequence reduction, where possible.

How Forescout Can Help

Implementing mitigation for OT:ICEFALL requires:

The Forescout Continuum Platform helps you achieve all of these steps without disrupting critical business processes or requiring operational downtime. Forescout’s eyeInspect product has native monitoring capabilities for the protocols used by the affected devices and built-in detection for exploitation of OT:ICEFALL vulnerabilities. Customers should update to the latest eyeInspect release to make full use of our industrial threat library updated monthly, and ICS-specific IOC and CVEs.

Commitment to the Cybersecurity Community

As part of the OT:ICEFALL disclosure, Forescout provided the cybersecurity community with a technical report in which we discuss the 56 vulnerabilities, their impact and their mitigation in detail, as well as the insecure-by-design debate, the effect of opacity on risk management, industry-specific attack scenarios and more.

Read The Report